March 26, 2012
Let’s start with a little exercise. Rate the risk for the following events.
- Going 15 mph over the speed limit.
- Using a public wireless internet connection at the airport.
- Using a third party for payment services.
If you were to ask your neighbor how they would rate them, would it be the same? Go ahead and ask them, I’ll wait. For those not asking, do you think they would be the same? Probably not. Assigning a risk label to an event is too subjective. It’s based upon the person’s experience, profession, and situational awareness. How one labels risk most likely will not be the same as someone else. This is mostly due to the lack of comparable impacts.
Assigning impact consistently is manageable with guidance. These may include factors such as:
- Fiscal costs to replace/fix.
- Employee hours needed (will you have to outsource?)
- Damage to reputation (usually more for service providers)
- Harm to individuals (employees and / or patients)?
Each of these factors and the threshold from one to the next is organization specific. $10,000 in replacement systems for one company may be fairly significant while for another it may be the budget for the annual holiday party. Establishing the different thresholds for each of your risk layers will make this a repeatable process. It’s an easier process than most think; just go through the possibilities for each. If this would cost our organization $__________ it would be bad, $____________ is really bad, and $_______________ is “I’m packing up my office right now.” Just keep doing that on all your impact decision factors.
Creating a matrix will help quickly assign such risk impacts and also ensure that the right people are involved the process. That’s correct: assigning risks, the impact, and the likelihood, shouldn’t be a one person job; there are too many factors for one person to know. Healthcare is a great example. IT can determine how much it would cost to replace/fix a server but IT most likely will not be able to properly gauge organizational reputation damage and the potential harm to patients.
Having more people with different roles also brings more situation awareness (i.e., threat likelihood) to the risk assignment process. They may be aware of additional controls which could lessen the change of the risk being realized. The more the situational awareness is raised allows your company to assess risks with greater understanding and accuracy. For example, would your risks you assigned to the examples above change with the following?
- Going 15 mph over the speed limit in a school zone.
- Using a public wireless internet connection at the airport after Defcon.
- Using a third party for payment services that continues to suffer data breaches.
All of the aspects above increase the maturity level of risk assignments used in Risk Management programs, audits, and everyday operations. It helps everyone within the organization speak the same language and ensure that we compare apples to apples. When everyone is on the same plane and knows how the risks are being assigned there tends to also be less resistance to risk reducing initiatives. This level of organizational “buy-in” is crucial for those projects that have a large impact radius and cross many departmental boundaries.
So how does this all start? The easiest is to integrate this process as part of your Risk Management program and during each Risk Assessment. Use the same processes for your internal audits and have external companies either use your process or provide enough information to allow your group to rate findings again internally. Document the process and the various factors and make sure all involved know what they are. This will lead you down some interesting conversations, but stick to it!
Having an established and consistent process turns the arbitrary into the meaningful.